• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue certificate for securing mail

Rafael Montes

New Pleskian
Hi! yesterday I selected a certificate for securing mail, and now I'm having problems with the emails of all my domains. Is possible to disable a certificate that I've selected? I only can change it, but I want to remove them, and keep it without any certificate, as before. Thanks!
 
Hi! yesterday I selected a certificate for securing mail, and now I'm having problems with the emails of all my domains. Is possible to disable a certificate that I've selected? I only can change it, but I want to remove them, and keep it without any certificate, as before. Thanks!
 
Let me clarify. On default clean Plesk installation initially there is "Unknown" Certificate for securing mail. It is "default certificate" if admin did not change it to another. Therefore you should install "default certificate" if you need to revert all back.
 
I find it very unhelpful that I cannot revert to 'Unknown' (the GUI will not let me, nor is there a CLI command). I have own scripts outside of Plesk which manage the certificates for dovecot, postfix and ProFTPD.

@IgorG You are surely right regarding "default certificate" - BUT the internal mechanism changes:

Dovecot default certificate always used to be at /etc/dovecot/private/ssl-cert-and-key.pem ; as soon as I (mistakenly, or as a trial) select something for "Certificate for securing mail", then Plesk adds a config file /etc/dovecot/conf.d/11-plesk-security-ssl.conf, which refers to /etc/dovecot/private/dovecot.pem. This I could reverse back by a later custom file of my own, e.g. /etc/dovecot/conf.d/50-custom-security.conf

Postfix is a real problem: Plesk generates both main.cf and master.cf, now switching the cert file from postfix_default.pem to postfix.pem. The problem here is, that Postfix does not have any "conf.d" directory, and the only 2 config files it does have are both generated by Plesk. So I see no way to compensate for what Plesk is not allowing me to do (revert to "Unknown").

In any case, I could never delete whatever certificate is assigned in Plesk, because Plesk sees it as being in use. Nor do I feel good with just overwriting the Plesk certs "dovecot.pem" and "postfix.pem" - whenever Plesk regenerates it's config, my .pem files would get overwritten.

What really gets my goat is when a system defines it's own way of doing things and does not give you any opt-out possibility. Look at the choice of word: Not "None" but "Unknown" - implying that Plesk intends to do this - whether I want or not. I find that disrespectful, and an unneccessary straight-jacket.

SO my question: What Database entries do I need to edit to get back to heavenly "unknown"?

Thanks! Tim
 
Now I worked this out for myself:

In Plesk: Tools & Settings | SSL/TLS Certificates | Certificate for securing mail

> If this is NOT "Unknown" then Plesk tries to manage the default certificates for Dovecot and Postfix.

o Once selected, Plesk GUI offers no way back. To get back to "Unknown" delete two records from Plesk DB:

o Tools & Settings | Database Servers | Tools-Icon on far right of MySQL (phpMyAdmin opens in new tab)

o Select Table "ServiceNodeConfiguration"

o Delete the 2 records named "inbound_ssl_cert_id" + "inbound_ssl_cert_id" in section "mailServer"

o At the GUI, we are now back to "Unknown" - but must regenerate the Postfix & Dovecot configs.

# /usr/local/psa/bin/repair --mail (hit Enter to accept "Y")

> That regenerates Postfix's main.cf to use /etc/postfix/postfix_default.pem -
but leaves /etc/dovecot/conf.d/11-plesk-security-ssl.conf unchanged )-:

# plesk sbin sslmng --services=dovecot --certificate --cert=

> That works to get /etc/dovecot/conf.d/11-plesk-security-ssl.conf back to using /etc/dovecot/private/ssl-cert-and-key.pem
 
I too have problems regarding this issue, since i was just rechecking my SSL settings and forgot i should't change the default option on "certificate for securing mail" :(

So now i don't know what is the best option to solve the issue...

@IgorG said that choosing default Plesk certificate is the same as Unknown from what i unserstood - is that right?

or

Should i restore a previous made backup, and if so what is the option i should use just to restore that option? Or if i restore

or

Should i edit the PSA db and delete the records "inbound_ssl_cert_id" and "inbound_ssl" (i believe @TimReeves was refering to these entries, since the two entries on his answer are the same) and then run the commands on SSH to regenerate Postfix & Dovecot configs?
From what i understand, the commands i should run are:
/usr/local/psa/bin/repair --mail
and
plesk sbin sslmng --services=dovecot --certificate --cert=

right? Can someone confirm this fixed the issue?

Plesk GUI should have the option to just choose Unknown again so that we can restore the original settings!!
 
Last edited:
Hi Necroman,

@IgorG said that choosing default Plesk certificate is the same as Unknown from what i unserstood - is that right?

yes, Necroman, IgorG 's statement is actually still correct and it is a possible work-around to choose the "NONE" - option ( which is actually missing )

Should i edit the PSA db and delete the records "inbound_ssl_cert_id" and "inbound_ssl" (i believe @TimReeves was refering to these entries, since the two entries on his answer are the same) and then run the commands on SSH to regenerate Postfix & Dovecot configs?
Delete the 2 records named "inbound_ssl_cert_id" + "inbound_ssl_cert_id" in section "mailServer"
Even that you might notice some kind of "double entries", this doesn't eventually means, that the these two locations and it 's entries define the very same possible option(s) in your PSA - database. Pls. follow the step-by-step description from @TimReeves, as he provided the absolute correct way here, to solve the issue.:)
 
I assume it should work for CentOS too, as we are talking about the database entries - I can't imagine any reason why they would be different. But I don't know for certain as I don't have any server with CentOS. I recommend to just try it - after all, you can easily revert by making a change in the Plesk GUI if it does not work as expected.
 
Well, I try.. and it's work !
But I find only one entry "inbound_ssl_cert_id" in section "mailServer".
(so the second command doesn't work, but i think it's because i have removed only one entry?)
But it's work !
Thanks for all !
 
TimReeves
Hi

I have the same problem - I followed your tutorial to the item
plesk sbin sslmng --services=dovecot --certificate --cert=

The command in my centos 7 says

ERROR: the argument for option '--cert' should follow immediately after the equal sign
Run sslmng --help to view help.
exit status 2


Can you help me ?


Now I worked this out for myself:

In Plesk: Tools & Settings | SSL/TLS Certificates | Certificate for securing mail

> If this is NOT "Unknown" then Plesk tries to manage the default certificates for Dovecot and Postfix.

o Once selected, Plesk GUI offers no way back. To get back to "Unknown" delete two records from Plesk DB:

o Tools & Settings | Database Servers | Tools-Icon on far right of MySQL (phpMyAdmin opens in new tab)

o Select Table "ServiceNodeConfiguration"

o Delete the 2 records named "inbound_ssl_cert_id" + "inbound_ssl_cert_id" in section "mailServer"

o At the GUI, we are now back to "Unknown" - but must regenerate the Postfix & Dovecot configs.

# /usr/local/psa/bin/repair --mail (hit Enter to accept "Y")

> That regenerates Postfix's main.cf to use /etc/postfix/postfix_default.pem -
but leaves /etc/dovecot/conf.d/11-plesk-security-ssl.conf unchanged )-:

# plesk sbin sslmng --services=dovecot --certificate --cert=

> That works to get /etc/dovecot/conf.d/11-plesk-security-ssl.conf back to using /etc/dovecot/private/ssl-cert-and-key.pem
 
I have just found out that Plesk online documentation for sslmng is somewhere between lacking and non-existent. And it's been a while since I had this issue.
All I can suggest is to try naming the certificate explicitly:
# plesk sbin sslmng --services=dovecot --certificate --cert=/etc/dovecot/private/ssl-cert-and-key.pem

But I haven't tried this, so don't blame me :)
I nowadays use the features of the SSLIt! Extension in Plesk, which has obsoleted managing SSL-Certs outside of Plesk for me.
 
Back
Top